Global cybersecurity agencies detail cyber threat from LockBit ransomware hackers
A joint cybersecurity advisory (CSA) has been released by global cybersecurity agencies to help organizations understand and defend against threats from hackers using LockBit, a globally-used and prolific Ransomware-as-a-Service (RaaS), in 2022 and 2023. The document outlined that the use of the RaaS model enabled affiliates to conduct ransomware attacks using LockBit ransomware tools and infrastructure.
Due to a large number of unconnected affiliates in the operation, LockBit ransomware attacks vary significantly in observed tactics, techniques, and procedures (TTPs). This variance in observed ransomware TTPs presents a notable challenge for organizations working to maintain network security and protect against a ransomware threat. The cybersecurity agencies also provide recommended mitigations to help reduce the likelihood and impact of future ransomware incidents and enable network defenders to proactively improve their organization’s defenses against this ransomware operation.
“The LockBit RaaS and its affiliates have negatively impacted organizations, both large and small, across the world. In 2022, LockBit was the most active global ransomware group and RaaS provider in terms of the number of victims claimed on their data leak site,” according to the advisory titled ‘Understanding Ransomware Threat Actors: LockBit,’ released on Wednesday by the U.S. CISA (Cybersecurity and Infrastructure Security Agency), FBI (Federal Bureau of Investigation), MS-ISAC (Multi-State Information Sharing and Analysis Center), and the cybersecurity authorities of Australia, Canada, United Kingdom, Germany, France, and New Zealand (CERT NZ, NCSC-NZ).
The document added that a RaaS cybercrime group maintains the functionality of a particular ransomware variant, sells access to that ransomware variant to individuals or groups of operators, or ‘affiliates,’ and supports affiliates’ deployment of their ransomware in exchange for upfront payment, subscription fees, a cut of profits, or a combination of upfront payment, subscription fees, and a cut of profits.
LockBit hackers have been identified behind rail and maritime port attacks. In January, rail infrastructure company Wabtec was notified of a personal data security breach of some individuals’ personal information being exploited in an incident that occurred across its U.S., Canada, U.K., and Brazil entities. The website of the Port of Lisbon (Porto de Lisboa) remains down for nearly ten days after officials confirmed cyber attackers targeted it. Around the same time, the LockBit ransomware group added the organization to its extortion site, claiming the ransomware attack.
The advisory disclosed that the most recently observed LockBit activity in Australia was on April 21, 2023; in New Zealand in February 2023; and in the U.S., as recently as May 25, 2023.
“Working with our U.S. and international partners, CISA is focused on reducing the prevalence of ransomware intrusions and their impacts, which include applying lessons learned from prior ransomware incidents that have affected far too many organizations,” Eric Goldstein, executive assistant director for cybersecurity at CISA, said in a media statement. “As we look to the future, we must all work together to evolve to a model where ransomware actors are unable to use common tactics and techniques to compromise victims and work to ensure ransomware intrusions are detected and remediated before harm can occur.”
“The FBI relentlessly pursues ransomware actors who continue to exploit vulnerable cyber ecosystems,” Bryan Vorndran, assistant director of the FBI’s Cyber Division, said. “We are better positioned to combat this type of malicious activity through coordination and collaboration with our federal and international partners, which are key to better mitigating and preventing harm against the American public and our allies. The FBI encourages all organizations to review this CSA and implement the recommended mitigation measures to better defend against threat actors using LockBit.”
Since 2020, there have been about 1,700 LockBit ransomware attacks in the U.S. alone costing businesses and organizations approximately US$91 million in paid ransom. To help organizations understand and defend against this global threat and its large number of unconnected LockBit affiliates, this advisory contains a list of approximately 30 freeware and open-source tools used by LockBit actors; over 40 of their TTPs mapped to MITRE ATT&CK; observed common vulnerabilities and exposures (CVEs) used for exploitation; evolution of LockBit RaaS along with worldwide trends and statistics, recommended resources and mitigations to protect against this ransomware threat.
Some of the methods LockBit has used to attract affiliates include, but are not limited to, include assuring payment by allowing affiliates to receive ransom payments before sending a cut to the core group; disparaging other RaaS groups in online forums; and engaging in publicity-generating activities stunts, such as paying people to get LockBit tattoos and putting a $1 million bounty on information related to the real-world identity of LockBit’s lead who goes by the persona ‘LockBitSupp.’ It also includes developing and maintaining a simplified, point-and-click interface for its ransomware, making it accessible to those with a lower degree of technical skill.
“LockBit has been successful through innovation and ongoing development of the group’s administrative panel and the RaaS supporting functions,” the advisory said. “In parallel, affiliates that work with LockBit and other notable variants are constantly revising the TTPs used for deploying and executing ransomware.”
LockBit hackers have attacked organizations of various sizes across critical infrastructure sectors. In January 2020, LockBit-named ransomware was first seen on Russian-language based cybercrime forums. In Australia, from April 1, 2022, to March 31, 2023, LockBit made up 18 percent of total reported Australian ransomware incidents, which includes all variants of LockBit ransomware, not solely LockBit 3.0. Canada reported in 2022 that LockBit was responsible for 22 percent of attributed ransomware incidents. In New Zealand in 2022, CERT NZ received 15 reports of LockBit ransomware, representing 23 percent of 2022 ransomware reports.
In 2022, in the U.S., 16 percent of the State, Local, Tribal, and Tribunal (SLTT) government ransomware incidents reported to the MS-ISAC were identified as LockBit attacks. The data included ransomware incidents impacting municipal governments, county governments, public higher education and K-12 schools, and emergency services.
The document identified that the earliest observed LockBit activity in Australia came from the occurrence of LockBit 3.0 in early August 2022. The first recorded instance of LockBit activity in Canada was in March 2020, while the initial recorded incident involving LockBit ransomware was in March 2021 in New Zealand. In the U.S., LockBit activity was first observed on January 5, 2020.
Since the first case in July 2020 to the present, the National Cybersecurity Agency of France (ANSSI) has handled 80 alerts linked to the LockBit ransomware, which accounts for 11 percent of all ransomware cases handled by ANSSI in that period. “In about 13% of those cases, ANSSI was not able to confirm nor deny the breach of its constituents’ networks –as the alerts were related to the threat actor’s online claims. So far, 69 confirmed incidents have been handled by ANSSI,” the advisory added.
The agencies observe data leak sites, where attackers publish the names and captured data of victims if they do not pay ransom or hush money. Additionally, these sites can be used to record alleged victims who have been threatened with a data leak. The term ‘victims’ may include those who have been attacked or those who have been threatened or blackmailed with the attack having taken place.
“The leak sites only show the portion of LockBit affiliates’ victims subjected to secondary extortion. Since 2021, LockBit affiliates have employed double extortion by first encrypting victim data and then exfiltrating that data while threatening to post that stolen data on leak sites,” the advisory identified. “Because LockBit only reveals the names and leaked data of victims who refuse to pay the primary ransom to decrypt their data, some LockBit victims may never be named or have their exfiltrated data posted on leak sites. As a result, the leak sites reveal a portion of LockBit affiliates’ total victims.”
The advisory disclosed that up to the first quarter of this year, a total of 1,653 alleged victims were observed on LockBit leak sites. With the introduction of LockBit 2.0 and LockBit 3.0, the leak sites have changed, with some sources choosing to differentiate leak sites by LockBit versions and others ignoring any differentiation. Over time, and through different evolutions of LockBit, the address, and layout of LockBit leak sites have changed and are aggregated under the common denominator of the LockBit name.
“The introduction of LockBit 2.0 at the end of the Q2 2021 had an immediate impact on the cybercriminal market due to multiple RaaS operations shutting down in May and June 2021 (e.g., DarkSide and Avaddon),” according to the advisory. “LockBit competed with other RaaS operations, like Hive RaaS, to fill the gap in the cybercriminal market leading to an influx of LockBit affiliates.”
During their intrusions, LockBit affiliates have been observed using various freeware and open-source tools that are intended for legal use, the advisory outlined. When repurposed by LockBit, these tools are then used for various malicious cyber activities, such as network reconnaissance, remote access and tunneling, credential dumping, and file exfiltration.
The advisory added that the use of PowerShell and batch scripts are observed across most intrusions, which focus on system discovery, reconnaissance, password/credential hunting, and privilege escalation. Artifacts of professional penetration-testing tools such as Metasploit and Cobalt Strike have also been observed.
Commenting on the release of the cybersecurity advisory, Dror Liwer, co-founder of cybersecurity company Coro, wrote in an emailed statement that “as we see more and more ‘attack as a service’ offerings, two worrying trends emerge. The ability to execute relatively sophisticated attacks with no deep technical knowledge, lowering the barrier to entry significantly, which results in many more threat actors. A secondary trend is now that the barrier of entry has been lowered, and the attack cost has been commoditized, the ROI of attacks against mid-market and small organizations has improved greatly, leading attackers to target these much more vulnerable organizations, who do not have the same security stack or teams protecting them as the Fortune 500 do,” he added.
“Lockbit’s cybercrime wave is significant, notably the proceeds of which helped Russia offset some western economic sanctions,” Tom Kellermann, senior vice president of cyber strategy at Contrast Security, wrote in a statement. “The most nefarious ransomware gangs are affiliated with cybercrime cartels that enjoy a pax mafiosa with the Russian government.”
The advisory recommends that organizations consider implementing sandboxed browsers, requiring all accounts with password logins to comply with NIST standards for developing and managing password policies; implementing filters at the email gateway; installing a web application firewall; segmenting networks; adopting least-privilege best practice; enforce the management of and audit user accounts with administrative privileges; and implement time-based access for accounts set at the admin level and higher.
It also suggests developing and regularly updating comprehensive network diagram(s); controlling and restricting network connections; enabling enhanced PowerShell logging; configuring the Windows Registry to require UAC approval for any PsExec operations; disabling command-line and scripting activities and permissions; enabling credential guard; and implementing Local Administrator Password Solution (LAPS).
The document also advises that organizations must apply local security policies to control application execution and establish an application allowlist of approved software applications and binaries. It also calls for restricting New Technology Local Area Network (LAN) Manager (NTLM) uses with security policies and firewalling.
It also proposes implementing a tiering model by creating trust zones dedicated to an organization’s most sensitive assets, and VPN access should not be considered a trusted network zone. It must also block connections to known malicious systems, and use web filtering or a Cloud Access Security Broker (CASB).
CISA published this week a binding operational directive calling federal agencies to secure Internet-exposed management interfaces. The agency will start scanning federal agencies for vulnerable network devices and further require them to either disconnect these devices from the internet or tighten access controls. The move will also provide safeguards for federal information and information systems establishing core security actions to reduce cyber risk across federal civilian enterprises.
A complimentary guide to the who`s who in industrial cybersecurity tech & solutions
Free DownloadRelated
